The first time I heard about a series of emailed bomb threats was early in the day on Dec. 13, when I got a note from a security researcher letting me know about it. After that, I found stories about more such threats here in the Washington area and elsewhere. A quick look at the emails made it clear that this was a hoax.
As has been the case of scam emails starting from the days of the Nigerian prince, the email was written in broken English, its details were vague, and it made unlikely claims. The researcher who told me about it said that he’d ignored it until he heard about it going on elsewhere. In this case, ignoring the email was the right call.
Of course it was a fairly easy call for most places that received the email, but not for everyone. Schools that received their own copies were either locked down or evacuated, including (tragically) Sandy Hook Elementary in Connecticut and Columbine High School in Colorado. Government offices and many companies were also evacuated while police searched their buildings.
The FBI issued a statement that day about the threats, saying in a tweet that the agency was aware of the threats, and that they were working with local law enforcement to provide assistance.
Each of the emailed threats contained a vague description of an explosive device and a demand that the recipient pay $20,000 in Bitcoin to keep the bomb from going off. The problem for the bad guys was that the email was so obviously a hoax that nobody paid the ransom.
However, this ransom email was a lot like one that circulated earlier this year in which the sender claimed that he’d taken over the recipient’s webcam and had recorded them watching pornography. Then the threat was that the video would be sent to the victim’s contact list unless a ransom in Bitcoin was paid.
The sextortion ploy worked, apparently because the ransom was only a couple hundred dollars, and apparently because a lot of people watch porn on their computers. According to several reports, that effort raised a half million dollars for the bad guys. This most recent attempt seems to have been an effort to rachet up the money with a bigger demand and a bigger threat. But the bad guys missed the mark this time.
But what about next time? The cyber-criminals who launched the emailed bomb threat hoax and those that launched the sexploitation effort may not be the same people, but they are certainly aware of each other, just as they’re aware of those who launch ransomware attacks. They’re also aware that this latest round of emails caused significant disruption in some areas, and they’re aware that ransomware attacks are fairly effective methods of extortion. Their next step could change the game.
Depending on the goals of the cyber-criminal, the changes could include learning English and placing lower demands so that victims are more likely to simply pay the ransom. But the goal could also be to demand a higher ransom, and then to make sure that they’re believed by actually carrying out their threat in at least one location.
If one of the victims had suffered even a small explosion in an evacuated building, you can bet that other places that had received the same threat would start looking for ransom money, which is what the bad guys were after.
While nobody can say that the next extortion effort will involve a bomb threat, you have to assume that an extortion threat of some kind is a near certainty. This means your security team will need a plan and a set of procedures for handling it. Once that process is complete, your staff will need to be trained in how to react, and they should practice their response.
The specific steps will depend on the organization that’s being victimized. For example, a school receiving something like a bomb threat can’t afford to ignore it, even if it’s pretty obvious it’s a hoax. They still need to evacuate everyone. Another organization may decide to simply call the police and ask for help.
What’s important is that each organization needs to have a response plan. Decide who gets such a threatening email, who is responsible for evaluating the threat and who decides the response. Decide what to do if there’s a threat to personal safety versus other types of extortion.
In addition, you need to decide how to preserve evidence so that law enforcement agencies can track down whoever is making the threat and use it against them. You may want to talk to your local law enforcement about setting up the right procedures. In addition, if you’re in an industry with a federal interest, such as a defense contractor, you should also contact federal law enforcement about their suggestions for setting up your procedures.
While this week’s bomb threats weren’t exactly a cybersecurity issue, they did arrive through email, just like phishing attacks or ransomware delivery. If you have email screening software, it might be time to make sure it’s updated. But in the meantime, you’ll be better protected if you have a plan in place--and if the people who need to carry out the plan know what they’re supposed to do.